MuddyWater BlackWater campaign used new anti-detection techniques

A recent MuddyWater campaign tracked as BlackWater shows that the APT group added new anti-detection techniques to its arsenal.

Security experts at Cisco Talos attributed the recently spotted campaign tracked as “BlackWater” to the MuddyWater APT group (aka SeedWorm and TEMP.Zagros). 

The researchers also pointed out that the cyber espionage group has been updating its tactics, techniques, and procedures (TTPs) by adding three distinct steps to their operations to avoid the detection.

The first MuddyWater campaign was observed in late 2017 when targeted entities in the Middle East.

The experts called the campaign ‘MuddyWater’ due to the confusion in attributing a wave of attacks that took place between February and October 2017 targeting entities in Saudi Arabia, Iraq, Israel, United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States to date.

The group evolved over the years by adding new attack techniques to its arsenal.

In March 2018, experts at FireEye uncovered a massive phishing campaign conducted by the TEMP.Zagros group targeting Asia and Middle East regions from January 2018 to March 2018.

Attackers used weaponized documents typically having geopolitical themes, such as documents purporting to be from the National Assembly of Pakistan or the Institute for Development and Research in Banking Technology.

In June 2018, Trend Micro researchers discovered a new attack relying on weaponized Word documents and PowerShell scripts that appears related to the MuddyWater APT. The final payload delivered in the campaign is the PRB-BackdoorRAT, it was controlled by the command and control (C&C) server at outl00k[.]net.

This campaign aims at installing a PowerShell-based backdoor onto the victim’s machine for espionage purposes.

As part of the recent BlackWater campaign, the MuddyWater APT group leveraged an obfuscated Visual Basic for Applications (VBA) macro script to add a Run registry key and gain persistence.

Then the attackers used a PowerShell stager script masquerade as a red-teaming tool that would download a PowerShell-based Trojan from a C2 server.

The stager download from the C2 a component of the FruityC2 agent script, an open-source framework on GitHub, that uses to enumerate the host machine.

“This could allow the threat actor to monitor web logs and determine whether someone uninvolved in the campaign made a request to their server in an attempt to investigate the activity.” reads the analysis published by Talos group. “Once the enumeration commands would run, the agent would communicate with a different C2 and send back the data in the URL field. This would make host-based detection more difficult, as an easily identifiable “errors.txt” file would not be generated.”

The cyberspies also used to replace some variable strings in the more recent samples to avoid signature-based detection from Yara rules. 

Attackers used a document that once was opened, it prompted the user to enable the macro titled “BlackWater.bas”. They protected the macro with a password to prevent user to view it in Visual Basic. The “Blackwater.bas” macro was obfuscated using a substitution cipher whereby the characters are replaced by their corresponding integer. 

“This series of commands first sent a server hello message to the C2, followed by a subsequent hello message every 300 seconds. An example of this beacon is “hxxp://82[.]102[.]8[.]101:80/bcerrxy.php?rCecms=BlackWater”.” continues the analysis. “Notably, the trojanized document’s macro was also called “BlackWater,” and the value “BlackWater” was hard coded into the PowerShell script. Next, the script would enumerate the victim’s machine”

Experts conclude that even if the changes implemented by the threat actor were minimal, they were significant enough to avoid detection and to allow the group to continue to perform operations.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – MuddyWater, APT)

[adrotate banner=”5″]

[adrotate banner=”13″]